Exchange: Create a PFX Certificate and Import a Private Key

KB ID 0001528

Problem

On my test network I have an Exchange server (Exchange 2016). As it’s publicly available and connected to Office 365 it needs a digital certificate. Because its my test network, I don’t want to spend a fortune on a certificates, so I buy the cheapest one I can find. I replaced it last week with a 2 year certificate for about $5.00.

When the certificate came I had certificate-name.crt, and a CA bundle, but I could NOT import it into Exchange, (because the private key was missing). I had the private key, I downloaded it when I made the certificate request.

So I had the certificate and the private key, I needed to import the private key into my Exchange server, or create a PFX file that had the certificate and the private key in it, that I could import into Exchange.

Create a PFX File with OpenSSL

The simplest way to create a PFX, (if you are feeling lazy,) is to go here and let them do it for you. But I know I could do this with OpenSSL, being a mac user I already have OpenSSL, if you are a Windows user you can install OpenSSL for Windows and do the same thing.

Firstly place your private key file and certificate in a folder you can get at like so;

Then execute the following command;

[box]

openssl pkcs12 -export -out output-cert-name.pfx -inkey key-file-name.key -in input-cert-name.crt

[/box]

When prompted to do so, enter a password, (you will need to enter this on your Exchange server, so make a note of it!) You will then have your .PFX file.

Import PFX File into Exchange

I prefer to use PowerShell, (if you want to use the Exchange Admin Centre scroll down.) 

[box]

Import-ExchangeCertificate -Server Server-Name -FileName "\\Server-Name\Share-Name\Certificate-Name.pfx" -Password (ConvertTo-SecureString -String 'Your-Password' -AsPlainText -Force)

[/box]

Copy the certificate thumbprint (as shown) to the clipboard.

Then you need to associate the Exchange ‘Services’ with this new certificate;

[box]

Get-ExchangeCertificate -Thumbprint YOUR-CERT-THUMBPRINT | Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP

[/box]

When prompted to do so enter ‘A’, (for replace all.)

You should see the correct certificate used now, like so;

Note: If you only see a blank page for OWA and Exchange Admin Center (ECP) after changing certificates, then see the following post;

Exchange – OWA and ECP Websites Blank After Logon

Import a PFX From Exchange Admin Center

Servers > Certificates > Select the appropriate Server > Ellipses > Import Exchange Certificate > Add the path to the PFX file, and its password > Next.

Add the server > Finish.

Now to enable the certificate for the appropriate Exchanges Services, select the cert > Edit > Services > Tick SMTP, IMAP, POP, and IIS > Save > OK.

 

Related Articles, References, Credits, or External Links

Exchange Certificate Import Error (reason: PrivateKeyMissing).

Exchange – Certificate Invalid ‘Revocation Check Failed’

Exchange: Blank Certificate Name

Exchange – OWA and ECP Websites Blank After Logon

Exchange: Blank Certificate Name

KB ID 0001411

Problem

You see this a lot with 3rd party (purchased) certificates, especially if you have imported them from something else e.g. a web site, appliance, NetScaler, etc.

The correct certificate, is there, it’s just got no name?

Solution

Open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > Properties.

Enter a ‘Friendly Name’ > Apply > OK > Close the MMC.

Back in Exchange Admin Center, simply click refresh.

Related Articles, References, Credits, or External Links

NA

SBS Exchange Certificate Expired

KB ID 0000535

Problem

When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.

Solution

1. Here you can see your certificate has expired.

2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:

Server Error in Application “SBS WEB APPLICATIONS”

Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here

3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.

4. Select it and follow the on screen prompts > Go and have a coffee.

5. Now you should be able to access the web front end.

6. To get a certificate we need a certificate request, you can write the powershell yourself like so:

[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]

OR simply go here and let the good folk at Digicert do the heavy lifting for you.

7. Now you have the code, generate the request, on the Exchange server >  Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.

8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)

9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.

10. “Submit a certificate request by using………..”.

11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.

12. Download the certificate.

13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).

14. Job done, close the browser window.

15. Back at the Exchange Management Shell issue the following command:

[box] Import-ExchangeCertificate -Path c:the-name-of-your-cert.cer [/box]

As it imports it shows you the thumbprint of the certificate, mark this and copy it to the clipboard.

16. Now you have the certificate imported you can enable it, issue the following command:

[box] Enable-ExchangeCertificate -Services “SMTP,POP,IMAP,IIS” [/box]

It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.

17. That’s the job finished.

SBS2008 Unable to access Certificate Services

I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.

CertSrv The Webpage cannot be found

1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.

2. Select the CertSrv virtual directory.

3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.

 

Related Articles, References, Credits, or External Links

NA